Survey of ISO certifications, results for 2015

ISO is having surveys about number of ISO certifications, it is worth to have a look :-)

The table below is taken from the executive summary.

ISO survey 2015-001

There are also excel files available for each ISO standard that shows certifications per country or industry… For example for ISO 27001, the total number over the years is shown below.

ISO survey 2015-002

Posted in ICT Leadership and Management, ICT Standards, Security Certifications, Security Management, Security Standardization and Practises, Security Training, Awareness and Reports | Comments Off

Study report “Women in Cybersecurity”, by several co-authors

It is worth to have a look at the recent study report called The 2017 Global Information Security Workforce Study: Women in Cybersecurity.

It can be found at the research page od the the Center for Cyber Safety and Education, or directly here.

Women in cybersecurity

Posted in Cybersecurity, ICT Leadership and Management, Security News, Security Training, Awareness and Reports | Comments Off

Flowgorithm, a visual programming tool with source code generation

Flowgorithm is one of the visual programming tools available today.

Positive:

  • visual programming, focus is more on the modelling on how to solve the problem than on the syntax of programing language like java, c# or python.
  • can generate code in many programming languages

Negative:

  • so far there is no way to read and write files

The figure below shows when execution is ongoing in slow speed. One can see where the execution is, both in the big flowchart and in the source code window (in this case Java). In addition, there is variable window (lower left) showing that 2 lotto numbers had been generated so far. The console window on the lower right is used for input and output operations.

flowgorith-lottonumbers-execution

 

The figure below is the clipboard copy of the flowchart in flowgorithm. The tool can also export in emf and svg formats.

flowgorith-lottonumbers-flow

Visual program file for lotto

This file is zipped. unzip in order to get the “Lotto.fprg” file.

Testing the java source

The generated java code worked well, as can be seen in the figure below. DrJava (portable) was used to compile and run the code. There was only 1 minor tweak needed (ie. one needed to initialize the NewNumber variable, see line “int NewNumber = 0;”)

flowgorith-lottonumbers-compiled-java

 

Links

  • Another similar tool is Raptor, but with different features (read/write files, some basic graphics)
Posted in Basic Tools, For Fun or Interest, Hobbies and Other Interests, Tests, Tools | Comments Off

Morse Learner, tool for learning the morse code (receiving and sending)

Morse Learner is a portable and handy software for learning both the receiving and sending of morse code (chraracters made of DAHs and DITs).

In the beginning it starts with small set of characters. And there are options to change the speed etc.

Receiving mode

Morsecode-receive

Sending mode

Morsecode-transmit

In this tool, it is also possible to use a real morse key. In the picture below, the USB-RS232 cable is used. In the serial connector DB9, pins 7 and 8 are connected to the morse key. (The morse key is a simple 15 € key.)

Morsecode-key

Links

Posted in Basic Tools, For Fun or Interest, Gadgets, Hobbies and Other Interests, Recommended Free Tools, Tools | Comments Off

Portable OCR tools to extract text from scanned pages

In addition to previously mentioned gImageReader, these 2 other portable OCR tools worked well in the following scenarios:

For PDF-XChange Viewer one might need to install language package first. (The installation folder is “PortableApps\PDF-XChangeViewerPortable\App\PDFV_Portable”).

Please note, that also IrfanView has a plugin for OCR. It is called KADMOS and is available via plugin page or here. However, for some reason the results were not good for the cases where I needed OCR.

Posted in Basic Tools, Recommended Free Tools, Tips, Tools | Comments Off

Converting ISO 27002 into an excel and a graph

ISO 27002 “Code of practice for information security controls” list 144 controls with the same structure for all the controls. If one would like to work on these controls, like reusing them in another documentation or doing a presentation etc, then it can be tedious to re-write the text manually into another format. Instead one can try to automate, as much as possible, and process the text of the standard by using a simple script programming language. In this blog, the text is first processed by using autoit script.

The steps

The figure below shows the overview of the steps.

  • The input file for processing (with the autoit script) is the text of the ISO 27002 standard.
  • The 3 outputs are an excel file and an access database with all the content from those 114 controls, and a picture with the control categories (heading H2 level).

ISO27002-convert-steps

The content of ISO 27002 cannot be reproduced here. But the following files are provided in case if you want to try these things yourself:

The output of the first autoit script is XML file. The structure of this XML file is shown below. This structure is selected because the layout of the ISO 27002 mostly follow this kind of heading and chapter structure. Some manual editing of the txt file is needed to make the input file to follow a consistent structure. This way the same parser code can be used without needing to program exceptions. (ie. fixing the data quality rather than the code).


<iso27002>
<clause>
<clause_title_h1>             </clause_title_h1>
<control_category>
<control_category_title_h2>   </control_category_title_h2>
<category_objective>          </category_objective>
<security_control>
<control_title_h3>            </control_title_h3>
<control_text>                </control_text>
<implementation_guidance>     </implementation_guidance>
<other_information>           </other_information>
</security_control>           </control_category>
</clause>
</iso27002>

Output 1: the graph (and picture)

The figure below is exported from yEd; after it has been manually beautified :-)

ISO27002-convert

When importing to yEd, one need to map the data for both Edges and Nodes, and also choose the label for the Nodes (in presentation tab).

ISO27002-convert-importtoyEd

Output 2: the access database

The XML import to excel works well, and the first row contain the data field names. However, it is difficult to browse this manually since some fields are quite long. Therefore one can store the data also into another format, in this case the excel file was imported into an access database. In the basic view mode, one can see the rows with equal spacing and that there are 144 rows (ie. controls).

ISO27002-convert-accessdb2

Posted in Anvanced Tools, DIY, ISO, Security Standardization and Practises, Tips, Tools | Comments Off

Process reference model (PRM) for ISMS (ISO 27001)

ISO TS 33052:2016 “Process reference model (PRM) for information security management” is in interesting document which can be useful when evaluating the possible ways to implement the information security management system (ISMS) processes (see ISO 27001 ISMS requirements). This Technical Specifion (TS) contains process descriptions of 26 processes, and the relationship between ISO 27001 requirements and PRM (in annex A). The 26 processes are shown in the figure below:

ISO 33052-1

Each process description contains following elements

  • Process ID
  • Name
  • Purpose
  • Context
  • Outcomes
  • Requirements traceability

Please note that this TS is not implementation guidance, but is used as a basis for the PAM (Process assessment model) that is described in ISO TS 33072 “Process capability assessment model for information security management”.

About ISO related standards

  • ISO 27001 ISMS requirements
  • ISO 27003 for ISMS implementation guidance
  • ISO 27004 ISMS monitoring, measurement, analysis and evaluation
  • ISO 27007 Guidelines for ISMS auditing
  • ISO 27013 Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (ie. for service providers)

BSI Standards

For looking the ways how to implement ISMS, it is also worth to have a look on the BSI standards, especially BSI 100-2! They are freely available here.

Posted in Security Certifications, Security Management, Security Standardization and Practises | Comments Off